EP2562675A1 - Method for hardware partitioning of the resources of a secured computer system - Google Patents
Method for hardware partitioning of the resources of a secured computer system Download PDFInfo
- Publication number
- EP2562675A1 EP2562675A1 EP11306056A EP11306056A EP2562675A1 EP 2562675 A1 EP2562675 A1 EP 2562675A1 EP 11306056 A EP11306056 A EP 11306056A EP 11306056 A EP11306056 A EP 11306056A EP 2562675 A1 EP2562675 A1 EP 2562675A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- program
- key
- memory
- hardware
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5061—Partitioning or combining of resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
Definitions
- the present invention relates to a method of partitioning hardware resources of a secure computer system. More particularly, the present invention relates to a method of partitioning a nonvolatile memory of the type for example flash. The invention also relates to a system implementing such a partitioning method.
- a known protection solution consists in managing the access of the memory by a memory management unit (MMU).
- MMU memory management unit
- each program executed by the operating system is assigned a protected memory area, in which no other program can access. Therefore, a given program can not access (read and / or write) the memory used by another program, or even by the operating system itself.
- MMU is suitable only for operating systems or virtual machines where applications are stored in specific areas of memory.
- the Java Card virtual machine is an example of a virtual machine in which memory protection is performed without MMUs.
- Memory protection is achieved by a software mechanism that includes an isolation mechanism (sometimes referred to as a firewall) that selectively enables the flow of information between applications.
- This isolation mechanism is intended to neutralize attempts to unauthorized access to application data from other applications.
- This protection provided by the management of access to the applications made by the firewall can be supplemented by protection at the level of the operating system or hardware of the pages of the memory of any unauthorized access attempt.
- This memory page protection is achieved by encrypting the memory contents with a single encryption key to provide an execution environment resistant to physical attacks and information leaks via the processor address bus.
- the major disadvantage of such memory management lies in the fact that the memory protection is based on the software layer regardless of the granularity of protection to be provided to said memory (encryption of the content of the memory, encryption per page or encryption by application).
- the decrease in performance of the virtual machine due to the software management of the memory protection is particularly sensitive to the chosen protection granularity. The finer this granularity is, the more resources systems that could be used for other purposes will be monopolized.
- the invention is precisely intended to meet this need.
- the invention proposes a memory protection method whose management is no longer performed at the software level but rather at the hardware or hardware level.
- the invention proposes a hardware mechanism capable firstly of managing the identification of the programs in order to retrieve the keys associated with it and secondly to protect the contents of said memory with these same keys.
- the hardware mechanism includes means for generating new keys on demand and store them in a secure manner. Each key generated is program-specific.
- This mechanism comprises means for encrypting the program data with the active key generated during a storage phase.
- the mechanism comprises means capable of decrypting said program data with said specific key in response to a request for reading, writing or soliciting.
- This mechanism is capable of encrypting data to the granularity of a multiple of the byte.
- each application can be protected with a dedicated key obtained on request. Therefore, a recovery (or dump) of a full memory image through an application will not allow access to other applications in the memory.
- the applications are thus partitioned in a hardware way from each other.
- the invention also relates to a secure computer system comprising hardware means for executing the material partitioning method of its resources according to the invention.
- the resources of the partitioning system may be any type of existing or future nonvolatile memory.
- These memories can be of the flash, MRAM, PCRAM or FeRAM type.
- the figure 1 shows an example of a mode of operation of an initialization phase of a hardware partitioning mode of the resources of a secure computer system, including the programs and data of the latter.
- a secure computer system can be an operating system, a runtime environment, a virtual machine, and so on.
- the hardware term refers by antagonism to the software layer of the system.
- the partitioning mode is performed by a hardware mechanism 13 of the hardware 12.
- This hardware mechanism 13 comprises all of the devices incorporated in the hardware 12 for performing the partitioning method of the invention.
- This hardware mechanism 13 is implemented in the hardware 12 according to constraints of size (capacity) and / or speed of the desired treatments. In one embodiment, it may be implemented in the partition to be partitioned.
- program we mean here not only the executable code, that is to say a sequence of instructions, but also the process (or task), that is to say the code running. , with its specific environment consisting of its own data as well as resources allocated to it.
- data are meant values manipulated by a program as well as memory areas where values are stored.
- the data belongs to the program that created them or, more generally, to a group of programs that have access rights to that data. These rights managed by the firewall can be assigned to other programs for particular selected operations; such data is said to be shareable.
- the initialization phase illustrated in figure 1 comprises a preliminary step 100 in which the system 11 detects a new program 10.
- the system 11 generates a request to generate a new program key to the hardware mechanism 13.
- This request comprises in particular an identifier of the program.
- the request for generating a new key comprises a context represented by a byte with a digital identification value of the program. This context is stored in the headers.
- the hardware mechanism generates a new key K i specific to said new program 10. This key can be generated randomly.
- the hardware mechanism 12 stores in a partition memory 14 of the hardware key K i .
- the memory 14 is, for example, structured in a table.
- a line of the table corresponds to a key K i generated by the hardware mechanism
- each column of the table corresponds to information on the program to which this key is allocated.
- the memory 14 comprises in particular a line 14a corresponding to a key K i , a column 14b in which is indicated the identity of the program for which said key has been generated. All data subsequently created by the program 10 are encrypted with the key associated with it.
- the figure 2 shows an embodiment where the role of the system 11 is confined to a relay between the hardware 12 and a program for any request manipulation (call, read or write) data of a program.
- programs 1 to N run simultaneously (or alternatively) in the system 11.
- the programs 1 to N issue requests to manipulate a data item.
- the system 11 detects such a request for manipulation, said system transmits to the hardware 12 a message including in particular the request for manipulation, an identifier of the program to which the data to be handled belongs.
- the hardware mechanism 13 receives the message sent by the system 11.
- the hardware mechanism 13 extracts from the partition memory 14 the key K i associated with the identifier of said program.
- the hardware mechanism 13 transmits the key K i extracted to an encryption / decryption unit 15.
- the unit 15 is able to encrypt the program data received from the system 11 by the key K i specific to this program. This encrypted data is then stored in the storage memory 16.
- the storage memory 16 is organized in a page, several programs can be recorded on the same page while being partitioned from one another.
- This granularity of protection proposed by the invention makes it possible, by encrypting the data with a key specific to each program, to create a mechanism for partitioning program data from other data in other programs, thus ensuring data confidentiality.
- the hardware mechanism finds the key to use thanks to the identifier of the currently selected program. Upon receipt of the encrypted data, the unit 15 decrypts it with the key K i extracted associated with the program. The hardware mechanism 13 then transmits to the requesting program the data decrypted via the system 11.
- the figure 3 shows another embodiment where the role of the system 11 is increased compared to that described in FIG. figure 2 .
- an identification reference of this key K i is transmitted by the hardware 12 to the system 11 for storage in a base system data.
- This identification reference is stored in a column 14c of the line 14a corresponding to the key K i generated from the partition memory 14.
- This reference is often a pointer or a "handle".
- a pointer is the address where data is stored in the memory.
- a "handle” is an index in a table of pointers (or more generally in a table of references).
- the values of the pointers and "handles” also sometimes include specific bits that give information about the data (for example on the referenced memory area or on the information contained therein) or, in the case of "handles", on the associated table.
- the identification reference is generated by the system 11, during the initialization phase illustrated in FIG. figure 1 , and transmitted to the hardware 12.
- the hardware mechanism stores it in the column 14c of the generated key. This identification reference is also stored in the system database.
- the system 11 When the system 11 receives from a program 1 to N running a request to manipulate a piece of data, it extracts, in a step 300, from its database the identification reference of the key K i associated with the program of the requested data. The system 11 then transmits to the hardware 12 a message including in particular the extracted identification reference and the manipulation request comprising the identifier of the program to which the data to be handled belongs.
- the hardware mechanism 13 then receives the message sent by the system 11.
- the hardware mechanism 13 extracts from the access control memory 14 the key K i associated with the received identification reference.
- the hardware mechanism 13 transmits the key K i extracted to an encryption / decryption unit 15.
- the unit 15 is able to encrypt the program data received from the system 11 by the key K i specific to this program. This encrypted data is then stored in the storage memory 16.
- the hardware mechanism 13 finds the key to use thanks to the identification reference received and the identifier of the currently selected program. Upon receipt of the encrypted data, the unit 15 decrypts it with the key K i extracted associated with the program. The hardware mechanism 13 then transmits to the requesting program the data decrypted via the system 11.
- partitioning and storage memories 14 is only an illustration of possible implementation of components and data records. In practice, these memories are unified or distributed according to constraints of size (capacity) and / or speed of the desired treatments.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
La présente invention a pour objet un procédé de cloisonnement matériel des ressources d'un système informatique sécurisé. Plus particulièrement, la présente invention concerne un procédé de cloisonnement d'une mémoire non volatile du type par exemple flash. L'invention a également pour objet un système mettant en oeuvre un tel procédé de cloisonnement.The present invention relates to a method of partitioning hardware resources of a secure computer system. More particularly, the present invention relates to a method of partitioning a nonvolatile memory of the type for example flash. The invention also relates to a system implementing such a partitioning method.
Durant ces dernières années, plusieurs architectures logicielles de protection d'une mémoire ont été proposées pour empêcher un attaquant de perturber le bon fonctionnement d'une application ou d'un programme de sorte à accéder à ladite mémoire afin d'en récupérer une image complète.In recent years, several memory protection software architectures have been proposed to prevent an attacker from disrupting the proper functioning of an application or a program so as to access said memory in order to recover a complete image thereof. .
Une solution de protection connue consiste à gérer l'accès de la mémoire par une unité de gestion mémoire (MMU pour Memory Management Unit). Selon le principe de la MMU, chaque programme exécuté par le système d'exploitation se voit attribuer une zone mémoire protégée, dans laquelle aucun autre programme ne peut accéder. Par conséquent, un programme donné ne peut pas accéder (en lecture et/ou écriture) à la mémoire utilisée par un autre programme, voire par le système d'exploitation lui même.A known protection solution consists in managing the access of the memory by a memory management unit (MMU). According to the principle of the MMU, each program executed by the operating system is assigned a protected memory area, in which no other program can access. Therefore, a given program can not access (read and / or write) the memory used by another program, or even by the operating system itself.
Si une tentative d'accès à de la mémoire hors plage est détectée, une interruption est levée par la MMU. Celle-ci est interceptée par le processeur et cela a généralement pour effet de stopper l'exécution de cette application voire même un reset du système.If an attempt to access out of range memory is detected, an interrupt is raised by the MMU. This is intercepted by the processor and this usually has the effect of stopping the execution of this application or even a reset of the system.
Cependant, tous les systèmes d'exploitation ou machine virtuelle ne sont pas pourvus de MMU. En effet, la MMU n'est adaptée que pour les systèmes d'exploitation ou machines virtuelles où les applications sont stockées en des zones précises de la mémoire.However, not all operating systems or virtual machines have MMUs. Indeed, the MMU is suitable only for operating systems or virtual machines where applications are stored in specific areas of memory.
La machine virtuelle de Java Card est un exemple de machine virtuelle dans laquelle la protection de la mémoire est réalisée sans MMU. La protection de la mémoire est réalisée à l'aide d'un mécanisme logiciel qui comporte un mécanisme d'isolation (nommé parfois pare-feu) permettant le passage sélectif des flux d'informations entre les applications. Ce mécanisme d'isolation a pour but de neutraliser les tentatives d'accès non autorisées aux données des applications en provenance d'autres applications. Cette protection apportée par la gestion de l'accès aux applications effectuées par le pare-feu peut être complétée par une protection au niveau du système d'exploitation ou hardware des pages de la mémoire de toute tentative d'accès non autorisée.The Java Card virtual machine is an example of a virtual machine in which memory protection is performed without MMUs. Memory protection is achieved by a software mechanism that includes an isolation mechanism (sometimes referred to as a firewall) that selectively enables the flow of information between applications. This isolation mechanism is intended to neutralize attempts to unauthorized access to application data from other applications. This protection provided by the management of access to the applications made by the firewall can be supplemented by protection at the level of the operating system or hardware of the pages of the memory of any unauthorized access attempt.
Cette protection des pages de la mémoire est obtenue par un chiffrement du contenu de la mémoire avec une clef de chiffrement unique afin de fournir un environnement d'exécution résistant aux attaques physiques et aux fuites d'informations via le bus d'adresse du processeur.This memory page protection is achieved by encrypting the memory contents with a single encryption key to provide an execution environment resistant to physical attacks and information leaks via the processor address bus.
Cependant, ce type de protection de la mémoire présente des inconvénients. En effet, par des perturbations physiques (injection de fautes) effectuées sur la mémoire, l'attaquant peut transformer une lecture anodine d'une application donnée en une récupération d'une image complète de la mémoire. Pour renforcer la protection de la mémoire, il est connu une autre solution qui consiste à chiffrer chaque page de données de la mémoire avec une clef qui lui est spécifique. Un attaquant qui copie la mémoire ne pourra accéder qu'aux applications partageant la même page que celle via laquelle la copie (ou dump) a pu être réalisée. Pour cloisonner les applications les unes par rapport aux autres, il faudrait une page par application ce qui dégraderait l'optimisation des ressources de la mémoire.However, this type of memory protection has drawbacks. Indeed, by physical disturbances (fault injection) performed on the memory, the attacker can transform an innocuous reading of a given application into a recovery of a complete image of the memory. To enhance the protection of memory, another solution is known which consists in encrypting each page of data of the memory with a key which is specific to it. An attacker who copies the memory will only be able to access applications sharing the same page as the one through which the dump was made. To partition the applications against each other, it would require one page per application which would degrade the optimization of memory resources.
L'inconvénient majeur d'une telle gestion de la mémoire réside dans le fait que la protection de la mémoire repose sur la couche logicielle quelque soit la granularité de protection à apporter à ladite mémoire (chiffrement du contenu de la mémoire, chiffrement par page ou chiffrement par application). La baisse de performances de la machine virtuelle due à la gestion logicielle de la protection mémoire est particulièrement sensible à la granularité de protection choisie. Plus cette granularité est fine plus des ressources systèmes qui pourraient être employées à d'autres fins seront monopolisées.The major disadvantage of such memory management lies in the fact that the memory protection is based on the software layer regardless of the granularity of protection to be provided to said memory (encryption of the content of the memory, encryption per page or encryption by application). The decrease in performance of the virtual machine due to the software management of the memory protection is particularly sensitive to the chosen protection granularity. The finer this granularity is, the more resources systems that could be used for other purposes will be monopolized.
Ainsi actuellement, s'est fait sentir le besoin d'améliorer la protection de la mémoire tout en évitant une dégradation des performances du système.Thus, at present, there is a need to improve memory protection while avoiding a degradation of system performance.
L'invention a justement pour but de répondre à ce besoin. Pour cela, l'invention propose un procédé de protection de la mémoire dont la gestion n'est plus effectuée au niveau logiciel mais plutôt au niveau matériel ou hardware.The invention is precisely intended to meet this need. For this, the invention proposes a memory protection method whose management is no longer performed at the software level but rather at the hardware or hardware level.
Pour ce faire, l'invention propose un mécanisme hardware capable d'une part de gérer l'identification des programmes afin de retrouver les clés qui lui sont associées et d'autre part de protéger le contenu de ladite mémoire avec ces mêmes clés.To do this, the invention proposes a hardware mechanism capable firstly of managing the identification of the programs in order to retrieve the keys associated with it and secondly to protect the contents of said memory with these same keys.
Pour ce faire, le mécanisme hardware comporte des moyens destinés à générer de nouvelles clés sur demande et de les stocker de manière sécurisée. Chaque clé générée est spécifique à un programme. Ce mécanisme comporte des moyens destinés à chiffrer la donnée du programme avec la clé active générée lors d'une phase de stockage. Le mécanisme comporte des moyens aptes à déchiffrer lesdites données du programme avec ladite clé spécifique en réponse à une requête en lecture, écriture ou sollicitation. Ce mécanisme est capable de chiffrer les données à la granularité d'un multiple de l'octet.To do this, the hardware mechanism includes means for generating new keys on demand and store them in a secure manner. Each key generated is program-specific. This mechanism comprises means for encrypting the program data with the active key generated during a storage phase. The mechanism comprises means capable of decrypting said program data with said specific key in response to a request for reading, writing or soliciting. This mechanism is capable of encrypting data to the granularity of a multiple of the byte.
Ainsi avec l'invention, chaque application peut être protégée avec une clé dédiée obtenue sur demande. Par conséquent, une récupération (ou dump) d'une image complète de la mémoire via une application ne permettra pas l'accès aux autres applications de la mémoire. Les applications sont ainsi cloisonnées de manière hardware les unes des autres.Thus with the invention, each application can be protected with a dedicated key obtained on request. Therefore, a recovery (or dump) of a full memory image through an application will not allow access to other applications in the memory. The applications are thus partitioned in a hardware way from each other.
La présente invention a donc pour objet un procédé de cloisonnement matériel des ressources d'un système informatique sécurisé. Le matériel du système comporte un mécanisme hardware destiné à:
- générer une clé cryptographique à chaque nouveau programme détecté par le système, cette clé étant spécifique à chaque programme,
- stocker ladite clé associée à un identifiant du programme dans les ressources du système,
- chiffrement et stockage dans les ressources du système de toutes les données créées par le programme avec la clé qui lui est spécifique,
- déchiffrement des données du programme avec la clé qui lui est spécifique en réponse à une requête de manipulation, appel, lecture et/ou écriture, émanant d'un programme requérant.
- generating a cryptographic key for each new program detected by the system, this key being specific to each program,
- storing said key associated with a program identifier in the system resources,
- encryption and storage in the system resources of all data created by the program with the key specific to it,
- decryption of the program data with the key specific to it in response to a request for manipulation, call, read and / or write, from a requesting program.
L'invention a également pour objet un système informatique sécurisé comportant des moyens matériels destinés à exécuter le procédé de cloisonnement matériel de ses ressources selon l'invention.The invention also relates to a secure computer system comprising hardware means for executing the material partitioning method of its resources according to the invention.
Dans un mode de réalisation préféré, les ressources du système à cloisonner peuvent être tout type de mémoire non volatile existant ou à venir. Ces mémoires peuvent être du type flash, MRAM, PCRAM ou FeRAM.In a preferred embodiment, the resources of the partitioning system may be any type of existing or future nonvolatile memory. These memories can be of the flash, MRAM, PCRAM or FeRAM type.
L'invention sera mieux comprise à la lecture de la description qui suit et à l'examen des figures qui l'accompagnent. Celles-ci sont présentées à titre indicatif et nullement limitatif de l'invention.
- La
figure 1 montre une illustration d'étapes correspondant à un mode de fonctionnement du procédé de l'invention. - Les
figures 2 et3 montrent respectivement une représentation schématique d'un mécanisme hardware de contrôle d'accès aux ressources selon un mode de réalisation de l'invention.
- The
figure 1 shows an illustration of steps corresponding to a mode of operation of the process of the invention. - The
figures 2 and3 respectively show a schematic representation of a resource access control hardware mechanism according to one embodiment of the invention.
La présente invention va maintenant être décrite en détail en référence à quelques modes de réalisation préféré, comme illustré dans les dessins annexés. Dans la description suivante, de nombreux détails spécifiques sont prévus afin d'offrir une compréhension approfondie de la présente invention. Il sera évident, cependant, à un homme de l'art, que la présente invention peut être pratiquée sans tout ou partie de ces détails spécifiques.The present invention will now be described in detail with reference to some preferred embodiments as illustrated in the accompanying drawings. In the following description, many specific details are provided to provide a thorough understanding of the present invention. It will be obvious, however, to one skilled in the art that the present invention may be practiced without all or part of these specific details.
Afin de ne pas obscurcir inutilement la description de la présente invention, des structures bien connues, des dispositifs ou des algorithmes n'ont pas été décrits en détail.In order not to obscure the description of the present invention, well-known structures, devices or algorithms have not been described in detail.
Il est à rappeler que, dans la description, quand une action est attribuée à un programme ou un système comprenant un microprocesseur, cette action est exécutée par le microprocesseur commandé par des codes instructions enregistrés dans une mémoire de ce système.It should be recalled that in the description, when an action is assigned to a program or a system comprising a microprocessor, this action is performed by the microprocessor controlled by instruction codes stored in a memory of this system.
La
Ici, le terme matériel (connu sous le nom anglais de hardware) fait référence par antagonisme à la couche logicielle du système. Dans l'invention, le mode de cloisonnement est effectué par un mécanisme hardware 13 du matériel 12. Ce mécanisme hardware 13 comporte l'ensemble des dispositifs incorporés au matériel 12 destinés à exécuter le procédé de cloisonnement de l'invention.Here, the hardware term (known as hardware) refers by antagonism to the software layer of the system. In the invention, the partitioning mode is performed by a
Ce mécanisme hardware 13 est implémenté dans le matériel 12 selon des contraintes de taille (capacité) et/ou de rapidité des traitements souhaités. Dans un mode de réalisation, il peut être implémenté dans la mémoire à cloisonner.This
Lorsque plusieurs programmes s'exécutent simultanément (ou alternativement) dans le système, on veut s'assurer que l'exécution de l'un n'affecte pas l'exécution des autres, ni celle du système : ils sont isolés. On peut laisser certains programmes interagir entre eux, mais uniquement dans le cadre d'une politique (pare-feu ou firewall) stricte de partage contrôlé des données. Cette politique stricte de partage et le mécanisme hardware de l'invention permet une protection contre la propagation d'erreurs involontaires de programmation, mais aussi et surtout d'actions malveillantes (telle qu'une attaque du type dump) qui vient altérer le bon fonctionnement du système et des programmes ou à dévoiler des informations confidentielles.When several programs run simultaneously (or alternatively) in the system, we want to make sure that the execution of one does not affect the execution of others, nor that of the system: they are isolated. We can let some programs interact with each other, but only as part of a strict (firewall or firewall) policy of controlled data sharing. This strict sharing policy and the hardware mechanism of the invention makes it possible to protect against the propagation of unintentional programming errors, but also and especially malicious actions (such as a dump type attack) which adversely affect the smooth operation. system and programs or to disclose confidential information.
Par programme, l'on entend ici non seulement le code exécutable, c'est-a-dire une suite d'instructions, mais aussi le processus (ou tâche), c'est-a-dire le code en cours d'exécution, avec son environnement spécifique constitué des données qui lui sont propres ainsi que des ressources qui lui sont attribuées.By program, we mean here not only the executable code, that is to say a sequence of instructions, but also the process (or task), that is to say the code running. , with its specific environment consisting of its own data as well as resources allocated to it.
Par données l'on entend aussi bien des valeurs manipulées par un programme que les zones de mémoire où sont rangées des valeurs. Selon les systèmes, les données appartiennent au programme qui les a créés ou, plus généralement, à un groupe de programmes qui disposent de droits d'accès sur ces données. Ces droits gérés par le pare-feu peuvent être attribués à d'autres programmes pour des opérations particulières choisies; de telles données sont dites partageables.By data are meant values manipulated by a program as well as memory areas where values are stored. Depending on the systems, the data belongs to the program that created them or, more generally, to a group of programs that have access rights to that data. These rights managed by the firewall can be assigned to other programs for particular selected operations; such data is said to be shareable.
Par exemple, dans le langage « Java Card » (marque déposée de Sun Microsystems), les programmes sont organisés en «packages » (paquetages) à l'intérieur desquels le partage de données (objets et tableaux) est libre. En revanche, l'accès à des données qui appartiennent à un autre « package » est limité par deux dispositifs logiciels: un mécanisme de gestion d'accès et un mécanisme de pare-feu (« firewall »). En effet, pour accéder à une donnée dont on n'est pas propriétaire, il faut en faire la demande à la machine virtuelle qui peut accepter ou refuser la requête d'accès. Par ailleurs, le pare-feu filtre toutes les opérations que l'on peut faire sur une donnée, quel que soit le moyen par lequel on se l'est procurée. En particulier, toute opération de lecture ou d'écriture sur un objet d'un autre « package » est interdite, sauf pour appeler une méthode (routine de programme) explicitement déclarée par ce «package » comme partageable.For example, in the language "Java Card" (registered trademark of Sun Microsystems), programs are organized into "packages" (packages) within which the sharing of data (objects and tables) is free. On the other hand, access to data that belongs to another "package" is limited by two software devices: an access management mechanism and a firewall mechanism. Indeed, to access a data which one does not own, it is necessary to make the request to the virtual machine which can accept or refuse the request of access. In addition, the firewall filters all operations that can be done on a given data, regardless of the means by which it was procured. In particular, any read or write operation on an object of another "package" is prohibited, except to call a method (program routine) explicitly declared by this "package" as shareable.
Cette protection logicielle des accès aux données de la mémoire est complétée par le procédé de cloisonnement de la mémoire illustré aux
La phase d'initialisation illustrée à la
A une étape 103, le mécanisme hardware 12, stocke dans une mémoire 14 de cloisonnement du matériel la clé Ki. La mémoire 14 est, par exemple, structurée en une table. Par exemple, une ligne de la table correspond à une clé Ki générée par le mécanisme hardware, chaque colonne de la table correspond à un renseignement sur le programme à qui est attribuée cette clé. Ainsi, la mémoire 14 comporte notamment une ligne 14a correspondant à une clé Ki, une colonne 14b dans laquelle est renseignée l'identité du programme pour laquelle ladite clé a été générée. Toutes les données créées ensuite par le programme 10 sont chiffrées avec la clé qui lui est associée.At a step 103, the
La
Dans l'exemple de la
Si la requête de manipulation est une requête d'écriture, le mécanisme hardware 13 transmet la clé Ki extraite à une unité de chiffrement/déchiffrement 15. L'unité 15 est apte à chiffrer la donnée du programme reçue du système 11 par la clé Ki spécifique à ce programme. Cette donnée chiffrée est ensuite stockée dans la mémoire 16 de stockage. Lorsque la mémoire 16 de stockage est organisée en page, plusieurs programmes peuvent être enregistrés sur la même page tout en étant cloisonnés les uns des autres.If the manipulation request is a write request, the
Cette granularité de protection proposée par l'invention permet, par un chiffrement des données avec une clé spécifique à chaque programme, de créer un mécanisme de cloisonnement des données d'un programme des autres données des autres programmes, garantissant ainsi la confidentialité des données.This granularity of protection proposed by the invention makes it possible, by encrypting the data with a key specific to each program, to create a mechanism for partitioning program data from other data in other programs, thus ensuring data confidentiality.
Si la requête de manipulation est une requête en lecture ou en sollicitation d'une donnée, le mécanisme hardware retrouve la clé à utiliser grâce à l'identifiant du programme couramment sélectionné. Dès réception de la donnée chiffrée, l'unité 15 la déchiffre avec la clé Ki extraite associé au programme. Le mécanisme hardware 13 transmet ensuite au programme requérant la donnée déchiffrée via le système 11.If the manipulation request is a request to read or request data, the hardware mechanism finds the key to use thanks to the identifier of the currently selected program. Upon receipt of the encrypted data, the
Si une récupération d'une image complète de la mémoire est effectuée lors de l'exécution de la requête de manipulation, le déchiffrement des données des autres programmes que celui requérant se fera avec la mauvaise clé.If a recovery of a complete image of the memory is performed during the execution of the manipulation request, the decryption of the data of the other programs that the one requesting will be done with the wrong key.
La
Dans un autre mode de réalisation, la référence d'identification est générée par le système 11, lors de la phase d'initialisation illustrée à la
Lorsque le système 11 reçoit d'un des programmes 1 à N en cours d'exécution une requête de manipulation d'une donnée, il extrait, à une étape 300, de sa base de données la référence d'identification de la clé Ki associée au programme de la donnée demandée. Le système 11 transmet ensuite au matériel 12 un message comportant notamment la référence d'identification extraite ainsi que la requête de manipulation comprenant l'identifiant du programme à qui appartient la donnée à manipuler.When the
Le mécanisme hardware 13 réceptionne ensuite le message émis par le système 11. Le mécanisme hardware 13 extrait de la mémoire 14 de contrôle d'accès la clé Ki associé à la référence d'identification reçue.The
Si la requête de manipulation est une requête d'écriture, le mécanisme hardware 13 transmet la clé Ki extraite à une unité de chiffrement/déchiffrement 15. L'unité 15 est apte à chiffrer la donnée du programme reçue du système 11 par la clé Ki spécifique à ce programme. Cette donnée chiffrée est ensuite stockée dans la mémoire 16 de stockage.If the manipulation request is a write request, the
Si la requête de manipulation est une requête de lecture ou de sollicitation d'une donnée, le mécanisme hardware 13 retrouve la clé à utiliser grâce à la référence d'identification reçue et à l'identifiant du programme couramment sélectionné. Dès réception de la donnée chiffrée, l'unité 15 la déchiffre avec la clé Ki extraite associée au programme. Le mécanisme hardware 13 transmet ensuite au programme requérant la donnée déchiffrée via le système 11.If the manipulation request is a request to read or request data, the
La représentation des mémoires 14 de cloisonnement et 16 de stockage n'est qu'une illustration d'implantation possible de composants et d'enregistrements de données. Dans la pratique, ces mémoires sont unifiées ou distribuées selon des contraintes de taille (capacité) et/ou de rapidité des traitements souhaités.The representation of the partitioning and
Claims (8)
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP11306056A EP2562675A1 (en) | 2011-08-19 | 2011-08-19 | Method for hardware partitioning of the resources of a secured computer system |
EP12740619.7A EP2745233A1 (en) | 2011-08-19 | 2012-07-31 | Method for hard partitioning the resources of a secure computer system |
US14/239,777 US20140189373A1 (en) | 2011-08-19 | 2012-07-31 | Method for hard partitioning the resources of a secure computer system |
PCT/EP2012/064971 WO2013026662A1 (en) | 2011-08-19 | 2012-07-31 | Method for hard partitioning the resources of a secure computer system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP11306056A EP2562675A1 (en) | 2011-08-19 | 2011-08-19 | Method for hardware partitioning of the resources of a secured computer system |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2562675A1 true EP2562675A1 (en) | 2013-02-27 |
Family
ID=46584053
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP11306056A Withdrawn EP2562675A1 (en) | 2011-08-19 | 2011-08-19 | Method for hardware partitioning of the resources of a secured computer system |
EP12740619.7A Withdrawn EP2745233A1 (en) | 2011-08-19 | 2012-07-31 | Method for hard partitioning the resources of a secure computer system |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP12740619.7A Withdrawn EP2745233A1 (en) | 2011-08-19 | 2012-07-31 | Method for hard partitioning the resources of a secure computer system |
Country Status (3)
Country | Link |
---|---|
US (1) | US20140189373A1 (en) |
EP (2) | EP2562675A1 (en) |
WO (1) | WO2013026662A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015142970A1 (en) * | 2014-03-20 | 2015-09-24 | Microsoft Technology Licensing, Llc | Rapid data protection for storage devices |
US9430664B2 (en) | 2013-05-20 | 2016-08-30 | Microsoft Technology Licensing, Llc | Data protection for organizations on computing devices |
US9477614B2 (en) | 2011-08-30 | 2016-10-25 | Microsoft Technology Licensing, Llc | Sector map-based rapid data encryption policy compliance |
US9825945B2 (en) | 2014-09-09 | 2017-11-21 | Microsoft Technology Licensing, Llc | Preserving data protection with policy |
US9853820B2 (en) | 2015-06-30 | 2017-12-26 | Microsoft Technology Licensing, Llc | Intelligent deletion of revoked data |
US9853812B2 (en) | 2014-09-17 | 2017-12-26 | Microsoft Technology Licensing, Llc | Secure key management for roaming protected content |
US9900325B2 (en) | 2015-10-09 | 2018-02-20 | Microsoft Technology Licensing, Llc | Passive encryption of organization data |
US9900295B2 (en) | 2014-11-05 | 2018-02-20 | Microsoft Technology Licensing, Llc | Roaming content wipe actions across devices |
CN114327371A (en) * | 2022-03-04 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Secret sharing-based multi-key sorting method and system |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6466476B2 (en) * | 2014-03-19 | 2019-02-06 | インテル コーポレイション | Access isolation for multi-operating system devices |
JP6318878B2 (en) * | 2014-06-04 | 2018-05-09 | 富士通株式会社 | COMMUNICATION DEVICE, SYSTEM, AND COMMUNICATION PROCESSING METHOD |
US10043031B2 (en) * | 2016-11-08 | 2018-08-07 | Ebay Inc. | Secure management of user addresses in network service |
CN114528603B (en) * | 2022-04-24 | 2022-07-15 | 广州万协通信息技术有限公司 | Isolation dynamic protection method, device, equipment and storage medium of embedded system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5915025A (en) * | 1996-01-17 | 1999-06-22 | Fuji Xerox Co., Ltd. | Data processing apparatus with software protecting functions |
US20030133574A1 (en) * | 2002-01-16 | 2003-07-17 | Sun Microsystems, Inc. | Secure CPU and memory management unit with cryptographic extensions |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8386797B1 (en) * | 2002-08-07 | 2013-02-26 | Nvidia Corporation | System and method for transparent disk encryption |
US8473754B2 (en) * | 2006-02-22 | 2013-06-25 | Virginia Tech Intellectual Properties, Inc. | Hardware-facilitated secure software execution environment |
US9715598B2 (en) * | 2010-11-17 | 2017-07-25 | Invysta Technology Group | Automatic secure escrowing of a password for encrypted information an attachable storage device |
-
2011
- 2011-08-19 EP EP11306056A patent/EP2562675A1/en not_active Withdrawn
-
2012
- 2012-07-31 WO PCT/EP2012/064971 patent/WO2013026662A1/en active Application Filing
- 2012-07-31 EP EP12740619.7A patent/EP2745233A1/en not_active Withdrawn
- 2012-07-31 US US14/239,777 patent/US20140189373A1/en not_active Abandoned
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5915025A (en) * | 1996-01-17 | 1999-06-22 | Fuji Xerox Co., Ltd. | Data processing apparatus with software protecting functions |
US20030133574A1 (en) * | 2002-01-16 | 2003-07-17 | Sun Microsystems, Inc. | Secure CPU and memory management unit with cryptographic extensions |
Non-Patent Citations (2)
Title |
---|
DALE ANDERSON: "Understanding CryptoMemory", 18 March 2004 (2004-03-18), XP055017670, Retrieved from the Internet <URL:http://www.atmel.com/dyn/resources/prod_documents/doc5064.pdf> [retrieved on 20120126] * |
KUHN M: "The TrustNo 1 Cryptoprocessor Concept", INTERNET CITATION, 30 April 1997 (1997-04-30), XP002265827, Retrieved from the Internet <URL:http://www.cl.cam.ac.uk/~mgk25/trustno1.pdf> [retrieved on 19970430] * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9477614B2 (en) | 2011-08-30 | 2016-10-25 | Microsoft Technology Licensing, Llc | Sector map-based rapid data encryption policy compliance |
US9740639B2 (en) | 2011-08-30 | 2017-08-22 | Microsoft Technology Licensing, Llc | Map-based rapid data encryption policy compliance |
US9430664B2 (en) | 2013-05-20 | 2016-08-30 | Microsoft Technology Licensing, Llc | Data protection for organizations on computing devices |
WO2015142970A1 (en) * | 2014-03-20 | 2015-09-24 | Microsoft Technology Licensing, Llc | Rapid data protection for storage devices |
US10615967B2 (en) | 2014-03-20 | 2020-04-07 | Microsoft Technology Licensing, Llc | Rapid data protection for storage devices |
US9825945B2 (en) | 2014-09-09 | 2017-11-21 | Microsoft Technology Licensing, Llc | Preserving data protection with policy |
US9853812B2 (en) | 2014-09-17 | 2017-12-26 | Microsoft Technology Licensing, Llc | Secure key management for roaming protected content |
US9900295B2 (en) | 2014-11-05 | 2018-02-20 | Microsoft Technology Licensing, Llc | Roaming content wipe actions across devices |
US9853820B2 (en) | 2015-06-30 | 2017-12-26 | Microsoft Technology Licensing, Llc | Intelligent deletion of revoked data |
US9900325B2 (en) | 2015-10-09 | 2018-02-20 | Microsoft Technology Licensing, Llc | Passive encryption of organization data |
CN114327371A (en) * | 2022-03-04 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Secret sharing-based multi-key sorting method and system |
CN114327371B (en) * | 2022-03-04 | 2022-06-21 | 支付宝(杭州)信息技术有限公司 | Secret sharing-based multi-key sorting method and system |
Also Published As
Publication number | Publication date |
---|---|
EP2745233A1 (en) | 2014-06-25 |
US20140189373A1 (en) | 2014-07-03 |
WO2013026662A1 (en) | 2013-02-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2562675A1 (en) | Method for hardware partitioning of the resources of a secured computer system | |
CN108932297B (en) | Data query method, data sharing method, device and equipment | |
US10007793B2 (en) | Secure object having protected region, integrity tree, and unprotected region | |
US8190917B2 (en) | System and method for securely saving and restoring a context of a secure program loader | |
EP3087524B1 (en) | Virtual machine assurances | |
AU2013226326B2 (en) | Log structured volume encryption for virtual machines | |
KR101081118B1 (en) | System and method for securely restoring a program context from a shared memory | |
US7734934B2 (en) | Seamless data migration | |
US8954752B2 (en) | Building and distributing secure object software | |
KR101054981B1 (en) | Computer-implemented methods, information processing systems, and computer-readable recording media for securely storing the context of a program | |
US20080104417A1 (en) | System and method for file encryption and decryption | |
US9779032B2 (en) | Protecting storage from unauthorized access | |
TWI490724B (en) | Method for loading a code of at least one software module | |
US9430278B2 (en) | System having operation queues corresponding to operation execution time | |
CN115758420A (en) | File access control method, device, equipment and medium | |
US10880082B2 (en) | Rekeying keys for encrypted data in nonvolatile memories | |
EP2860660A1 (en) | System and method for securely loading data in a cache memory associated with a secure processor | |
CA2563144C (en) | System and method for file encryption and decryption | |
US20220407685A1 (en) | Encryption in a distributed storage system utilizing cluster-wide encryption keys | |
WO2024045141A1 (en) | Confidential and performant lambda/function system in cloud | |
US20240064130A1 (en) | Authenticating key-value data pairs for protecting node related data | |
Ciesla et al. | You, Your Organization, and Cryptographic Security | |
Onarlioglu | Retrofitting Privacy into Operating Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20130828 |